Privacy Policy

Effective date: March 20, 2026

1. Introduction

DC Bridge ("we", "us", "our") operates the WhatsApp Direct Connect platform at dcbridge.app. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

DC Bridge is a bridge service that connects your CRM or application to WhatsApp via WebSocket protocol. We act as a pass-through layer and are designed with a zero message storage architecture.

By using DC Bridge, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of the service.

2. Information We Collect

Account Information

When you register for a DC Bridge account, we collect:

Name — your display name
Email address — used for login, verification, and transactional notifications
Password — stored as a one-way bcrypt hash (we never store or see your plaintext password)

Device Configuration

When you create a WhatsApp device connection, we store:

Device alias — a label you assign (e.g., "Sales", "Support")
Phone number and display name — retrieved from WhatsApp upon connection
Connection state — whether the device is currently connected
API key — a unique token for authenticating device-level API requests
Webhook configuration — your webhook URL, webhook secret, and payload format preference

Session Data

To maintain your WhatsApp connection across server restarts without requiring you to re-scan a QR code, we store Signal protocol credentials in encrypted binary form in the database. These are cryptographic keys used solely for session restoration.

Connection Logs

We record timestamps and event types for connection lifecycle events (connected, disconnected, QR generated, authentication failed, session restored, logged out). These logs contain no message content.

Webhook Delivery Logs

Each webhook dispatch is logged with the event type, destination URL, HTTP status code, number of retry attempts, response time, and success/failure status. These logs are automatically pruned to the most recent 500 entries per device. No message content is included in these logs.

3. How We Use Your Information

We use the information we collect to:

Authenticate you and manage your account
Establish and maintain your WhatsApp device connections
Deliver incoming WhatsApp messages and events to your configured webhook URL
Send transactional emails: account verification, password reset, and device disconnect alerts
Enforce safety limits (warm-up schedules, daily message caps) to protect your WhatsApp number
Monitor service health and troubleshoot webhook delivery issues
Prevent abuse through rate limiting and input validation

4. Data We Do NOT Collect or Store

      Zero Message Storage Policy: DC Bridge does not store, log, or persist
      any WhatsApp message content. Ever.
    

Specifically, we do not store:

Message text — incoming and outgoing message content passes through our servers and is immediately forwarded to your webhook URL
Media files — images, videos, documents, and audio are downloaded from WhatsApp, base64-encoded, delivered to your webhook, and immediately discarded from memory
Contact lists — contact information discovered from WhatsApp is forwarded via webhook and not retained
Read receipts and typing indicators — delivery status events are forwarded and not stored
Conversation history — no chat logs, no message archives, no searchable index

Our architecture is designed so that message data exists in our system only for the brief moment required to parse, format, and dispatch it to your webhook endpoint.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to any third party.

We share data only with the following service providers, strictly for operating the platform:

Provider	Purpose	Data Shared
Railway	Infrastructure hosting (US)	All platform data is hosted on Railway servers
Microsoft (Graph API)	Transactional email delivery	Recipient email address, email subject and body
WhatsApp (Meta)	Messaging protocol	Messages you send/receive via your connected device

We do not use any third-party analytics, tracking pixels, advertising networks, or data brokers. There are no cookies — authentication is handled via JWT tokens.

We may disclose information if required by law, legal process, or governmental request, or to protect the rights, safety, or property of DC Bridge, our users, or the public.

6. Data Security

We take the security of your data seriously and implement multiple layers of protection:

Password hashing — all passwords are stored using bcrypt with automatic salting
Webhook signing — every webhook payload is signed with HMAC-SHA256 using your webhook secret, allowing you to verify authenticity and integrity
SSRF prevention — webhook URLs are validated against private IP ranges, localhost, and cloud metadata endpoints
XSS protection — all user-supplied values are escaped before rendering
Rate limiting — strict per-IP rate limits on authentication endpoints to prevent brute-force attacks
Timing-safe comparison — API key verification uses constant-time comparison to prevent timing attacks
Security headers — HSTS, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers are set on all responses
Non-root containers — the application runs as an unprivileged user in production
No hardcoded secrets — all secrets are auto-generated or environment-configured

While we employ industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability.

7. Data Retention

Data Type	Retention
Account information	Until you delete your account
Device configuration	Until the device is deleted
Session credentials	Until the device is deleted or session is terminated
Connection logs	Stored for operational monitoring; deleted with the device
Webhook delivery logs	Auto-pruned to 500 most recent entries per device
Message content	Not retained — forwarded and immediately discarded
Media files	Not retained — base64-encoded, forwarded, and discarded

8. Your Rights

You have the following rights regarding your data:

Access — view your account information, device configurations, and webhook settings through the dashboard at any time
Correction — update your name, email, password, and device configurations through the dashboard
Deletion — delete individual devices or your entire account through the dashboard. Account deletion removes all associated devices, sessions, connection logs, and webhook logs
Export — retrieve your device configurations and webhook settings via the API
Disconnect — terminate any WhatsApp session at any time, which removes the session credentials from our database

To exercise any of these rights, you can use the DC Bridge dashboard or contact us directly. We will respond to data requests within 30 days.

9. Email Communications

We send emails only for essential, transactional purposes:

Account verification — a one-time email to verify your email address upon registration
Password reset — sent only when you request a password reset (link expires after 1 hour)
Disconnect alerts — sent when one of your WhatsApp devices disconnects or is logged out, so you can take action

We do not send marketing emails, newsletters, or promotional content. Email delivery is handled through Microsoft Graph API. Your email address is not shared with any marketing platform.

10. Children's Privacy

DC Bridge is a business-to-business service intended for use by organizations and professionals. We do not knowingly collect personal information from anyone under the age of 18. If you are a parent or guardian and believe your child has provided us with personal data, please contact us and we will promptly delete it.

11. International Data Transfers

DC Bridge infrastructure is hosted on Railway (United States). If you access the service from outside the United States, your data will be transferred to and processed in the US.

By using DC Bridge, you consent to this transfer. We ensure that your data is protected in accordance with this Privacy Policy regardless of where it is processed.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Effective date" at the top of this page. For significant changes, we may notify registered users via email.

We encourage you to review this policy periodically. Your continued use of DC Bridge after changes are posted constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, please contact us:

Service: DC Bridge
Website: dcbridge.app
Email: privacy@dcbridge.app